diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js index d11d97fc1c35..5fea8a3e4d68 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js @@ -36,7 +36,7 @@ var server = http.createServer(function(req, res) { sh = 'cmd.exe', flag = '/c'; else sh = '/bin/sh', flag = '-c'; - cp.spawn(sh, [ flag, cmd ]); // $ Alert Sink + cp.spawn(sh, [ flag, cmd ]); // $ Alert let args = []; args[0] = "-c"; @@ -53,8 +53,8 @@ var server = http.createServer(function(req, res) { args[1] = cmd; // $ Sink cp.execFile(`/bin` + "/bash", args); // $ Alert - cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert Sink - cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert Sink + cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert + cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert let myArgs = []; myArgs.push(`-` + "c"); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js index 9e59ff90b140..de7e60c6962b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js @@ -12,7 +12,7 @@ function getShell() { function execSh(command, options) { var shell = getShell() - return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert Sink + return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert } http.createServer(function (req, res) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js index 5b6d770a2653..c98653e7cb42 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js @@ -7,7 +7,7 @@ function getShell() { } function execSh(command, options) { - return cp.spawn(getShell(), ["-c", command], options) // $ Alert Sink + return cp.spawn(getShell(), ["-c", command], options) // $ Alert }; http.createServer(function (req, res) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js index b4f75df03ac4..fc91dddf873d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js @@ -3,5 +3,5 @@ const cp = require("child_process"); module.exports.thisMethodIsImported = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink -} \ No newline at end of file + cp.exec("rm -rf " + name); // $ Alert +} diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index 85d0402a8ae8..e7911746d6eb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -1,30 +1,30 @@ var cp = require("child_process") module.exports.blah = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert cp.execFile(name, [name]); cp.execFile(name, name); }; module.exports.foo = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } module.exports.foo.bar = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } function cla() { } cla.prototype.method = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } module.exports.cla = new cla(); function cla2() { } cla2.prototype.method = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } module.exports.bla = new cla2(); @@ -32,13 +32,13 @@ module.exports.lib2 = require("./lib2.js") class Cla3 { constructor(name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } static foo(name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } bar(name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert cp.exec("rm -rf " + notASource); } @@ -47,14 +47,14 @@ class Cla3 { module.exports.cla3 = Cla3; module.exports.mz = function (name) { // $ Source - require("mz/child_process").exec("rm -rf " + name); // $ Alert Sink + require("mz/child_process").exec("rm -rf " + name); // $ Alert } module.exports.flow = function (name) { // $ Source - var cmd1 = "rm -rf " + name; // $ Alert Sink + var cmd1 = "rm -rf " + name; // $ Alert cp.exec(cmd1); - var cmd2 = "rm -rf " + name; // $ Alert Sink + var cmd2 = "rm -rf " + name; // $ Alert function myExec(cmd) { cp.exec(cmd); } @@ -62,25 +62,25 @@ module.exports.flow = function (name) { // $ Source } module.exports.stringConcat = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert cp.exec(name); - cp.exec("for foo in (" + name + ") do bla end"); // $ Alert Sink + cp.exec("for foo in (" + name + ") do bla end"); // $ Alert - cp.exec("cat /foO/BAR/" + name) // $ Alert Sink + cp.exec("cat /foO/BAR/" + name) // $ Alert - cp.exec("cat \"" + name + "\"") // $ Alert Sink + cp.exec("cat \"" + name + "\"") // $ Alert - cp.exec("cat '" + name + "'") // $ Alert Sink + cp.exec("cat '" + name + "'") // $ Alert - cp.exec("cat '/foo/bar" + name + "'") // $ Alert Sink + cp.exec("cat '/foo/bar" + name + "'") // $ Alert cp.exec(name + " some file") } module.exports.arrays = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert var args1 = ["node"]; args1.push(name); // $ Alert @@ -109,7 +109,7 @@ module.exports.format = function (name) { // $ Source } module.exports.valid = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (!isValidName(name)) { return; @@ -118,7 +118,7 @@ module.exports.valid = function (name) { // $ Source } module.exports.safe = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (!isSafeName(name)) { return; @@ -128,7 +128,7 @@ module.exports.safe = function (name) { // $ Source class Cla4 { wha(name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } static bla(name) { @@ -146,7 +146,7 @@ function Cla5(name) { module.exports.cla5 = new Cla5(); module.exports.indirect = function (name) { // $ Source - let cmd = "rm -rf " + name; // $ Alert Sink + let cmd = "rm -rf " + name; // $ Alert let sh = "sh"; let args = ["-c", cmd]; cp.spawn(sh, args, cb); @@ -158,7 +158,7 @@ module.exports.indirect2 = function (name) { // $ Source let args = ["-c", cmd]; cp.spawn(sh, args, cb); - let cmd2 = "rm -rf " + name; // $ Alert Sink + let cmd2 = "rm -rf " + name; // $ Alert var args2 = [cmd2]; cp.spawn( 'cmd.exe', @@ -170,7 +170,7 @@ module.exports.indirect2 = function (name) { // $ Source module.exports.cmd = function (command, name) { // $ Source cp.exec("fo | " + command); - cp.exec("fo | " + name); // $ Alert Sink + cp.exec("fo | " + name); // $ Alert } @@ -178,54 +178,54 @@ module.exports.sanitizer = function (name) { // $ Source var sanitized = "'" + name.replace(/'/g, "'\\''") + "'" cp.exec("rm -rf " + sanitized); - var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert Sink - cp.exec("rm -rf " + broken); // $ Alert Sink + var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert + cp.exec("rm -rf " + broken); // $ Alert } var path = require("path"); module.exports.guard = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (!path.exist(name)) { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert return; } cp.exec("rm -rf " + name); } module.exports.blacklistOfChars = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (/[^A-Za-z0-9_\/:=-]/.test(name)) { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } else { cp.exec("rm -rf " + name); } } module.exports.whitelistOfChars = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (/^[A-Za-z0-9_\/:=-]$/.test(name)) { cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } } module.exports.blackList2 = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (!/^([a-zA-Z0-9]+))?$/.test(name)) { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert process.exit(-1); } - cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to tracking flow through `process.exit()`. + cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to tracking flow through `process.exit()`. } module.exports.accessSync = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert try { path.accessSync(name); @@ -233,7 +233,7 @@ module.exports.accessSync = function (name) { // $ Source return; } - cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer. + cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer. } var cleanInput = function (s) { @@ -246,26 +246,26 @@ var cleanInput = function (s) { } module.exports.goodSanitizer = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert var cleaned = cleanInput(name); - cp.exec("rm -rf " + cleaned); // $ Sink SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node. + cp.exec("rm -rf " + cleaned); // $ SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node. } var fs = require("fs"); module.exports.guard2 = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (!fs.existsSync("prefix/" + name)) { - cp.exec("rm -rf prefix/" + name); // $ Alert Sink + cp.exec("rm -rf prefix/" + name); // $ Alert return; } cp.exec("rm -rf prefix/" + name); } module.exports.sanitizerProperty = function (obj) { // $ Source - cp.exec("rm -rf " + obj.version); // $ Alert Sink + cp.exec("rm -rf " + obj.version); // $ Alert obj.version = ""; @@ -274,11 +274,11 @@ module.exports.sanitizerProperty = function (obj) { // $ Source module.exports.Foo = class Foo { start(opts) { // $ Source - cp.exec("rm -rf " + opts.bla); // $ Alert Sink + cp.exec("rm -rf " + opts.bla); // $ Alert this.opts = {}; this.opts.bla = opts.bla - cp.exec("rm -rf " + this.opts.bla); // $ Alert Sink + cp.exec("rm -rf " + this.opts.bla); // $ Alert } } @@ -305,24 +305,24 @@ function sanitizeShellString(str) { } module.exports.sanitizer2 = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert var sanitized = sanitizeShellString(name); cp.exec("rm -rf " + sanitized); } module.exports.typeofcheck = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (typeof name === "undefined") { cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } } module.exports.typeofcheck = function (arg) { // $ Source - var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert Sink + var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert cp.exec(cmd); } @@ -337,7 +337,7 @@ module.exports.unproblematic = function() { }; module.exports.problematic = function(n) { // $ Source - cp.exec("rm -rf " + id(n)); // $ Alert Sink + cp.exec("rm -rf " + id(n)); // $ Alert }; module.exports.typeofNumber = function(n) { @@ -348,7 +348,7 @@ module.exports.typeofNumber = function(n) { function boundProblem(safe, unsafe) { // $ Source cp.exec("rm -rf " + safe); - cp.exec("rm -rf " + unsafe); // $ Alert Sink + cp.exec("rm -rf " + unsafe); // $ Alert } Object.defineProperty(module.exports, "boundProblem", { @@ -403,7 +403,7 @@ function yetAnohterSanitizer(str) { } module.exports.sanitizer3 = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert var sanitized = yetAnohterSanitizer(name); cp.exec("rm -rf " + sanitized); @@ -412,7 +412,7 @@ module.exports.sanitizer3 = function (name) { // $ Source const cp = require("child_process"); const spawn = cp.spawn; module.exports.shellOption = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // $ Alert cp.spawn("rm", ["-rf", name], {shell: true}); // $ Alert @@ -439,12 +439,12 @@ function build(first, last) { var asyncExec = require("async-execute"); module.exports.asyncStuff = function (name) { // $ Source - asyncExec("rm -rf " + name); // $ Alert Sink + asyncExec("rm -rf " + name); // $ Alert } const myFuncs = { myFunc: function (name) { // $ Source - asyncExec("rm -rf " + name); // $ Alert Sink + asyncExec("rm -rf " + name); // $ Alert } }; @@ -480,7 +480,7 @@ module.exports.check = function check(config) { // $ Source } module.exports.splitConcat = function (name) { // $ Source - let args = ' my name is ' + name; // $ Alert Sink + let args = ' my name is ' + name; // $ Alert let cmd = 'echo'; cp.exec(cmd + args); } @@ -496,7 +496,7 @@ module.exports.myCommand = function (myCommand) { }; module.exports.myIndirectThing = function (name) { // $ Source - MyThing.cp.exec("rm -rf " + name); // $ Alert Sink + MyThing.cp.exec("rm -rf " + name); // $ Alert } }); @@ -507,42 +507,42 @@ for (var name in imp){ } module.exports.sanitizer4 = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (isNaN(name)) { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } else { cp.exec("rm -rf " + name); } if (isNaN(parseInt(name))) { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } else { cp.exec("rm -rf " + name); } if (isNaN(+name)) { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } else { cp.exec("rm -rf " + name); } if (isNaN(parseInt(name, 10))) { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } else { cp.exec("rm -rf " + name); } if (isNaN(name - 0)) { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } else { cp.exec("rm -rf " + name); } if (isNaN(name | 0)) { // <- not a sanitizer - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } } @@ -557,26 +557,26 @@ module.exports.shellThing = function (name) { // $ Source module.exports.badSanitizer = function (name) { // $ Source if (!name.match(/^(.|\.){1,64}$/)) { // <- bad sanitizer - exec("rm -rf " + name); // $ Alert Sink + exec("rm -rf " + name); // $ Alert } else { - exec("rm -rf " + name); // $ Alert Sink + exec("rm -rf " + name); // $ Alert } if (!name.match(/^\w{1,64}$/)) { // <- good sanitizer - exec("rm -rf " + name); // $ Alert Sink + exec("rm -rf " + name); // $ Alert } else { exec("rm -rf " + name); } } module.exports.safeWithBool = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (isSafeName(name)) { cp.exec("rm -rf " + name); } - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (isSafeName(name) === true) { cp.exec("rm -rf " + name); @@ -587,10 +587,10 @@ module.exports.safeWithBool = function (name) { // $ Source } if (isSafeName(name) == false) { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } function indirectThing(name) { @@ -606,7 +606,7 @@ function moreIndirect(name) { } module.exports.veryIndeirect = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert if (indirectThing(name)) { cp.exec("rm -rf " + name); @@ -623,15 +623,15 @@ module.exports.veryIndeirect = function (name) { // $ Source if (moreIndirect(name) !== false) { cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } - cp.exec("rm -rf " + name); // $ Alert Sink + cp.exec("rm -rf " + name); // $ Alert } module.exports.sanitizer = function (name) { // $ Source - var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert Sink - cp.exec("rm -rf " + sanitized); // $ Alert Sink + var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert + cp.exec("rm -rf " + sanitized); // $ Alert var sanitized = "'" + name.replace(new RegExp("\'", 'g'), "'\\''") + "'" cp.exec("rm -rf " + sanitized); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js index 9c427622c770..2f0d80b60e09 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js @@ -1,9 +1,9 @@ var cp = require("child_process") module.exports = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module. + cp.exec("rm -rf " + name); // $ Alert - is imported from main module. }; module.exports.foo = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module. -}; \ No newline at end of file + cp.exec("rm -rf " + name); // $ Alert - is imported from main module. +}; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js index e268f47c4e20..ab9be8e4eaf5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js @@ -1,5 +1,5 @@ const cp = require("child_process"); module.exports = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink - this function is exported from `amd.js` -}; \ No newline at end of file + cp.exec("rm -rf " + name); // $ Alert - this function is exported from `amd.js` +}; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js index 0b1abc951286..d422ac9184ae 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js @@ -1,15 +1,15 @@ var cp = require("child_process") module.exports = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. }; module.exports.foo = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink - this is being called explicitly from child_process-test.js + cp.exec("rm -rf " + name); // $ Alert - this is being called explicitly from child_process-test.js }; module.exports.amd = require("./amd.js"); module.exports.arrToShell = function (cmd, arr) { // $ Source cp.spawn("echo", arr, {shell: true}); // $ Alert -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts index e6b7a10bacf6..b10ee80481eb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") export default function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file. + cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file. } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js index 853e144a0d62..b5740c3057ec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js @@ -1,5 +1,5 @@ var cp = require("child_process") module.exports = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file. -}; \ No newline at end of file + cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file. +}; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts index f28c157a5ead..7320835f8ece 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") module.exports = function (name) { // $ Source - cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js index b8da58006c7c..bc9e51562033 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js @@ -1,5 +1,5 @@ const cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/closure.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/closure.js index 19f928a015b4..45951253dd7a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/closure.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/closure.js @@ -1,5 +1,5 @@ goog.module('x.y.z.closure2'); exports = function (x) { // $ Source[js/polynomial-redos] - /u*o/.test(x); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] -} \ No newline at end of file + /u*o/.test(x); // $ Alert[js/polynomial-redos] +} diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/indirect.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/indirect.js index 12577a4de312..a6c712ad7cb8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/indirect.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/indirect.js @@ -1,3 +1,3 @@ module.exports.foo = function (x) { // $ Source[js/polynomial-redos] - /k*h/.test(x); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] -} \ No newline at end of file + /k*h/.test(x); // $ Alert[js/polynomial-redos] +} diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/lib.js index 313d555f9f5a..b22ef792b935 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/lib.js @@ -1,11 +1,11 @@ var regexp = /a*b/; module.exports = function (name) { // $ Source[js/polynomial-redos] - regexp.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + regexp.test(name); // $ Alert[js/polynomial-redos] }; function bar(reg, name) { // $ Source[js/polynomial-redos] - /f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + /f*g/.test(name); // $ Alert[js/polynomial-redos] } if (typeof define !== 'undefined' && define.amd) { // AMD @@ -33,16 +33,16 @@ module.exports.useArguments = function () { } function usedWithArguments(name) { - /f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + /f*g/.test(name); // $ Alert[js/polynomial-redos] } module.exports.snapdragon = require("./snapdragon") module.exports.foo = function (name) { // $ Source[js/polynomial-redos] - var data1 = name.match(/f*g/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + var data1 = name.match(/f*g/); // $ Alert[js/polynomial-redos] name = name.substr(1); - var data2 = name.match(/f*g/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + var data2 = name.match(/f*g/); // $ Alert[js/polynomial-redos] } var indirectAssign = {}; @@ -50,6 +50,6 @@ module.exports.indirectAssign = indirectAssign; Object.assign(indirectAssign, { myThing: function (name) { // $ Source[js/polynomial-redos] - /f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + /f*g/.test(name); // $ Alert[js/polynomial-redos] }, -}); \ No newline at end of file +}); diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/moduleLib/moduleLib.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/moduleLib/moduleLib.js index 44c24db352e4..8d7f26935da4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/moduleLib/moduleLib.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/moduleLib/moduleLib.js @@ -1,3 +1,3 @@ module.exports = function (name) { // $ Source[js/polynomial-redos] - /a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + /a*b/.test(name); // $ Alert[js/polynomial-redos] }; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/otherLib/js/src/index.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/otherLib/js/src/index.js index 44c24db352e4..8d7f26935da4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/otherLib/js/src/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/otherLib/js/src/index.js @@ -1,3 +1,3 @@ module.exports = function (name) { // $ Source[js/polynomial-redos] - /a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + /a*b/.test(name); // $ Alert[js/polynomial-redos] }; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/snapdragon.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/snapdragon.js index ce6dae71ea85..3749edca43f9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/snapdragon.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/snapdragon.js @@ -4,7 +4,7 @@ module.exports.test1 = function (input) { // $ Source[js/polynomial-redos] var snapdragon = new Snapdragon(); var ast = snapdragon.parser .set("foo", function () { - var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos] }) .parse(input, options); }; @@ -12,7 +12,7 @@ module.exports.test1 = function (input) { // $ Source[js/polynomial-redos] module.exports.test2 = function (input) { // $ Source[js/polynomial-redos] var snapdragon = new Snapdragon(); snapdragon.parser.set("foo", function () { - var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + var m = this.match(/aa*$/); // $ Alert[js/polynomial-redos] }); snapdragon.parse(input, options); }; @@ -20,7 +20,7 @@ module.exports.test2 = function (input) { // $ Source[js/polynomial-redos] module.exports.test3 = function (input) { // $ Source[js/polynomial-redos] var snapdragon = new Snapdragon(); snapdragon.compiler.set("foo", function (node) { - node.val.match(/aa*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + node.val.match(/aa*$/); // $ Alert[js/polynomial-redos] }); snapdragon.compile(input, options); }; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib4/factory.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib4/factory.js index 088fe11e20a1..31c39e974ca8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib4/factory.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib4/factory.js @@ -5,6 +5,6 @@ }(this, (function (exports) { 'use strict'; exports.foo = function (name) { // $ Source[js/polynomial-redos] - /f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + /f*g/.test(name); // $ Alert[js/polynomial-redos] } -}))); \ No newline at end of file +}))); diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/feature.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/feature.js index 44c24db352e4..5c73d32f7011 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/feature.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/feature.js @@ -1,3 +1,3 @@ module.exports = function (name) { // $ Source[js/polynomial-redos] - /a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] -}; + /a*b/.test(name); // $ Alert[js/polynomial-redos] +} diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/main.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/main.js index daf462fea1cf..92463bf21b5f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/main.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/main.js @@ -1,5 +1,5 @@ module.exports = function (name) { // $ Source[js/polynomial-redos] - /a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + /a*b/.test(name); // $ Alert[js/polynomial-redos] }; const SubClass = require('./subclass'); diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/subclass.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/subclass.js index 9786b49b0327..c09dc8ada30f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/subclass.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/subclass.js @@ -2,7 +2,7 @@ class Subclass { constructor() {} define(name) { // $ Source[js/polynomial-redos] - /a*b/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + /a*b/.test(name); // $ Alert[js/polynomial-redos] } } diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib6/index.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib6/index.js index dd5b0db354fe..9155913f76b7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib6/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib6/index.js @@ -1,3 +1,3 @@ module.exports.foo = function (name) { // $ Source[js/polynomial-redos] - /f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] -} \ No newline at end of file + /f*g/.test(name); // $ Alert[js/polynomial-redos] +} diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/sublib/factory.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/sublib/factory.js index 5ba28dca4217..3bcbe5aaf52e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/sublib/factory.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/sublib/factory.js @@ -10,7 +10,7 @@ }(this, function () { function create() { return function (name) { // $ Source[js/polynomial-redos] - /f*g/.test(name); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + /f*g/.test(name); // $ Alert[js/polynomial-redos] } } return create() diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js index be1f8d9577ac..5f2dee1c744f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js @@ -4,140 +4,140 @@ var app = express(); app.use(function(req, res) { let tainted = req.query.tainted; // $ Source[js/polynomial-redos] - tainted.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.split(/ *, */); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.replace(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos] + tainted.split(/ *, */); // $ Alert[js/polynomial-redos] + tainted.replace(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos] tainted.split('\n'); - tainted.replace(/.*[/\\]/, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.replace(/.*\./, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.replace(/.*[/\\]/, ''); // $ Alert[js/polynomial-redos] + tainted.replace(/.*\./, ''); // $ Alert[js/polynomial-redos] tainted.replace(/^.*[/\\]/, ''); tainted.replace(/^.*\./, ''); - tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - /^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] Alert[js/redos] Sink[js/polynomial-redos] - tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - even though it is a proposed fix for the above - tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // $ Alert[js/polynomial-redos] + tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // $ Alert[js/polynomial-redos] + /^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] Alert[js/redos] + tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // $ Alert[js/polynomial-redos] + tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // $ Alert[js/polynomial-redos] - even though it is a proposed fix for the above + tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // $ Alert[js/polynomial-redos] if (tainted.length < 7000) { tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // OK - but flagged } - tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/); // $ Alert[js/polynomial-redos] tainted.match(/^([a-z0-9-]+)[ \t\n]+([a-zA-Z0-9+\/][a-zA-Z0-9+\/ \t\n=]*)([^a-zA-Z0-9+\/ \t\n=].*)?$/); /[a-z][A-Z]|[A-Z]{2,}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/.test(tainted); // $ MISSING: Alert[js/polynomial-redos] - not detected due to not supporting ranges /[a-z][A-Z]|[A-Z]{2}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/.test(tainted); - tainted.replace(/[?]+.*$/g, ""); // $ Sink[js/polynomial-redos] SPURIOUS: Alert[js/polynomial-redos] - can not fail once a match has started + tainted.replace(/[?]+.*$/g, ""); // $ SPURIOUS: Alert[js/polynomial-redos] - can not fail once a match has started tainted.replace(/\-\-+/g, "-").replace(/-+$/, ""); // OK - indirectly sanitized tainted.replace(/\n\n\n+/g, "\n").replace(/\n*$/g, ""); // OK - indirectly sanitized - tainted.match(/(.)*solve\/challenges\/server-side(.)*/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/(.)*solve\/challenges\/server-side(.)*/); // $ Alert[js/polynomial-redos] tainted.match(/(?![\s\S]*)/i); - tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/<.*style="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/<.*href="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos] + tainted.match(/<.*style="([^"]+)".*>/); // $ Alert[js/polynomial-redos] + tainted.match(/<.*href="([^"]+)".*>/); // $ Alert[js/polynomial-redos] - tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos] tainted.match(/^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/); // $ Alert[js/redos] - it is a fix for the above, but it introduces exponential complexity elsewhere - tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/); // $ Alert[js/polynomial-redos] tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/); tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/); // $ Alert[js/redos] tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)(?:\.[a-zA-Z_][a-zA-Z_0-9]*)*$/); - tainted.replaceAll(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - - /Y.*X/.test(tainted); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - /B?(YH|K)(YH|J)*X/.test(tainted) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/B?(YH|K).*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - /(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/f(B|Y)+(Y)*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - /f(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/f(B|Y)+(Y|K)*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/f(B|Y)+.*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/f(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.replaceAll(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos] + + /Y.*X/.test(tainted); // $ Alert[js/polynomial-redos] + /B?(YH|K)(YH|J)*X/.test(tainted) // $ Alert[js/polynomial-redos] + (/B?(YH|K).*X/.test(tainted)); // $ Alert[js/polynomial-redos] + /(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos] + (/(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos] + (/f(B|Y)+(Y)*X/.test(tainted)); // $ Alert[js/polynomial-redos] + /f(B|Y)+(Y)*X/.test(tainted) // $ Alert[js/polynomial-redos] + (/f(B|Y)+(Y|K)*X/.test(tainted)) // $ Alert[js/polynomial-redos] + (/f(B|Y)+.*X/.test(tainted)) // $ Alert[js/polynomial-redos] + (/f(B|Y)+(.)*X/.test(tainted)) // $ Alert[js/polynomial-redos] (/^(.)*X/.test(tainted)); (/^Y(Y)*X/.test(tainted)); - (/^Y*Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/^(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/^foo(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/^foo(K|Y)+.*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/(K|Y).*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - (/[^Y].*X/.test(tainted)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + (/^Y*Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] + (/^(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] + (/^foo(K|Y)+Y*X/.test(tainted)); // $ Alert[js/polynomial-redos] + (/^foo(K|Y)+.*X/.test(tainted)); // $ Alert[js/polynomial-redos] + (/(K|Y).*X/.test(tainted)); // $ Alert[js/polynomial-redos] + (/[^Y].*X/.test(tainted)); // $ Alert[js/polynomial-redos] (/[^Y].*$/.test(req.url)); // OK - the input cannot contain newlines. - (/[^Y].*$/.test(req.body)); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + (/[^Y].*$/.test(req.body)); // $ Alert[js/polynomial-redos] - tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos] - tainted.match(new RegExp("(MSIE) (\\d+)\\.(\\d+).*XBLWP7")); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(new RegExp("(MSIE) (\\d+)\\.(\\d+).*XBLWP7")); // $ Alert[js/polynomial-redos] - tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/<.*class="([^"]+)".*>/); // $ Alert[js/polynomial-redos] - tainted.match(/Y.*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/Y.*X/); // $ Alert[js/polynomial-redos] tatined.match(/B?(YH|K)(YH|J)*X/); // $ MISSING: Alert[js/polynomial-redos] - tainted.match(/a*b/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - the initial repetition can start matching anywhere. - tainted.match(/cc*D/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/a*b/); // $ Alert[js/polynomial-redos] - the initial repetition can start matching anywhere. + tainted.match(/cc*D/); // $ Alert[js/polynomial-redos] tainted.match(/^ee*F/); tainted.match(/^g*g*/); tainted.match(/^h*i*/); - tainted.match(/^(ab)*ab(ab)*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/^(ab)*ab(ab)*X/); // $ Alert[js/polynomial-redos] - tainted.match(/aa*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/^a*a*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/\wa*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/aa*X/); // $ Alert[js/polynomial-redos] + tainted.match(/^a*a*X/); // $ Alert[js/polynomial-redos] + tainted.match(/\wa*X/); // $ Alert[js/polynomial-redos] tainted.match(/a*b*c*/); tainted.match(/a*a*a*a*/); - tainted.match(/^([3-7]|A)*([2-5]|B)*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/^\d*([2-5]|B)*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/^([3-7]|A)*\d*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/^([3-7]|A)*([2-5]|B)*X/); // $ Alert[js/polynomial-redos] + tainted.match(/^\d*([2-5]|B)*X/); // $ Alert[js/polynomial-redos] + tainted.match(/^([3-7]|A)*\d*X/); // $ Alert[js/polynomial-redos] - tainted.match(/^(ab)+ab(ab)+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/^(ab)+ab(ab)+X/); // $ Alert[js/polynomial-redos] - tainted.match(/aa+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/a+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/^a+a+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/\wa+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/a+b+c+/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/aa+X/); // $ Alert[js/polynomial-redos] + tainted.match(/a+X/); // $ Alert[js/polynomial-redos] + tainted.match(/^a+a+X/); // $ Alert[js/polynomial-redos] + tainted.match(/\wa+X/); // $ Alert[js/polynomial-redos] + tainted.match(/a+b+c+/); // $ Alert[js/polynomial-redos] tainted.match(/a+a+a+a+/); - tainted.match(/^([3-7]|A)+([2-5]|B)+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/^\d+([2-5]|B)+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/^([3-7]|A)+\d+X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/^([3-7]|A)+([2-5]|B)+X/); // $ Alert[js/polynomial-redos] + tainted.match(/^\d+([2-5]|B)+X/); // $ Alert[js/polynomial-redos] + tainted.match(/^([3-7]|A)+\d+X/); // $ Alert[js/polynomial-redos] - tainted.match(/\s*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - tainted.match(/\s+$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/\s*$/); // $ Alert[js/polynomial-redos] + tainted.match(/\s+$/); // $ Alert[js/polynomial-redos] - tainted.match(/^\d*5\w*$/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/^\d*5\w*$/); // $ Alert[js/polynomial-redos] - tainted.match(/\/\*[\d\D]*?\*\//g); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/\/\*[\d\D]*?\*\//g); // $ Alert[js/polynomial-redos] - tainted.match(/(#\d+)+/); // $ Sink[js/polynomial-redos] SPURIOUS: Alert[js/polynomial-redos] - flagged due to insufficient suffix-checking. + tainted.match(/(#\d+)+/); // $ SPURIOUS: Alert[js/polynomial-redos] - flagged due to insufficient suffix-checking. (function foo() { var replaced = tainted.replace(/[^\w\s\-\.\_~]/g, ''); var result = "" result += replaced; - result = result.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + result = result.replace(/^\s+|\s+$/g, ''); // $ Alert[js/polynomial-redos] })(); tainted.match(/(https?:\/\/[^\s]+)/gm); var modified = tainted.replace(/a/g, "b"); - modified.replace(/cc+D/g, "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + modified.replace(/cc+D/g, "b"); // $ Alert[js/polynomial-redos] var modified2 = tainted.replace(/a|b|c|\d/g, "e"); - modified2.replace(/ff+G/g, "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + modified2.replace(/ff+G/g, "b"); // $ Alert[js/polynomial-redos] var modified3 = tainted.replace(/\s+/g, ""); - modified3.replace(/hh+I/g, "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + modified3.replace(/hh+I/g, "b"); // $ Alert[js/polynomial-redos] - tainted.match(/(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)C.*X/); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + tainted.match(/(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)C.*X/); // $ Alert[js/polynomial-redos] - modified3.replace(new RegExp("hh+I", "g"), "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - modified3.replace(new RegExp("hh+I", unknownFlags()), "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] - modified3.replace(new RegExp("hh+I", ""), "b"); // $ Alert[js/polynomial-redos] Sink[js/polynomial-redos] + modified3.replace(new RegExp("hh+I", "g"), "b"); // $ Alert[js/polynomial-redos] + modified3.replace(new RegExp("hh+I", unknownFlags()), "b"); // $ Alert[js/polynomial-redos] + modified3.replace(new RegExp("hh+I", ""), "b"); // $ Alert[js/polynomial-redos] }); diff --git a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts index f3d05b7e5aa2..b06ac98b9b36 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts +++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts @@ -1,5 +1,5 @@ export async function POST(req: Request) { const { url } = await req.json(); // $ Source[js/request-forgery] - const res = await fetch(url); // $ Alert[js/request-forgery] Sink[js/request-forgery] + const res = await fetch(url); // $ Alert[js/request-forgery] return new Response(res.body, { headers: res.headers }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts index 051ba67e401f..82cdcc509fcd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts +++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts @@ -2,7 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'; export async function POST(req: NextRequest) { const { url } = await req.json(); // $ Source[js/request-forgery] - const res = await fetch(url); // $ Alert[js/request-forgery] Sink[js/request-forgery] + const res = await fetch(url); // $ Alert[js/request-forgery] const data = await res.text(); return new NextResponse(data, { headers: res.headers }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-918/Request/middleware.ts b/javascript/ql/test/query-tests/Security/CWE-918/Request/middleware.ts index 3db3a4bae3b4..504448497806 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/Request/middleware.ts +++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/middleware.ts @@ -4,15 +4,14 @@ export async function middleware(req: NextRequest) { const target = req.nextUrl // $ Source[js/request-forgery] const target2 = target.searchParams.get('target'); // $ Source[js/request-forgery] if (target) { - const res = await fetch(target) // $ Alert[js/request-forgery] Sink[js/request-forgery] + const res = await fetch(target) // $ Alert[js/request-forgery] const data = await res.text() return new NextResponse(data) } if (target2) { - const res = await fetch(target2); // $ Alert[js/request-forgery] Sink[js/request-forgery] + const res = await fetch(target2); // $ Alert[js/request-forgery] const data = await res.text(); return new NextResponse(data); } return NextResponse.next() } - \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts b/javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts index 0f1c4afa554c..da4c5a9693d8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts +++ b/javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts @@ -5,7 +5,7 @@ function createApolloServer(typeDefs) { const resolvers = { Mutation: { downloadFiles: async (_, { files }) => { // $ Source[js/request-forgery] - files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery] Sink[js/request-forgery] + files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery] return true; }, }, @@ -15,7 +15,7 @@ function createApolloServer(typeDefs) { const resolvers2 = { Mutation: { downloadFiles: async (_, { files }) => { // $ Source[js/request-forgery] - files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery] Sink[js/request-forgery] + files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery] return true; }, }, diff --git a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js index d546d809a9dd..aa4174cd9ab7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js @@ -9,16 +9,16 @@ export function MyComponent() { request(params.foo); // Possibly problematic, but not currently flagged. const query = window.location.search.substring(1); // $ Source[js/client-side-request-forgery] - request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery] + request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery] request('https://example.com/api?q=' + query); - request('https://example.com/api/' + window.location.search); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery] - likely OK - but currently flagged anyway + request('https://example.com/api/' + window.location.search); // $ Alert[js/client-side-request-forgery] - likely OK - but currently flagged anyway const fragment = window.location.hash.substring(1); // $ Source[js/client-side-request-forgery] - request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery] + request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery] request('https://example.com/api?q=' + fragment); const name = window.name; // $ Source[js/client-side-request-forgery] - request('https://example.com/api/' + name + '/id'); // $ Alert[js/client-side-request-forgery] Sink[js/client-side-request-forgery] + request('https://example.com/api/' + name + '/id'); // $ Alert[js/client-side-request-forgery] request('https://example.com/api?q=' + name); request(window.location.href + '?q=123'); diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js index fce762084455..3f9392c5d992 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js @@ -15,34 +15,34 @@ var server = http.createServer(function(req, res) { request("example.com"); - request(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] + request(tainted); // $ Alert[js/request-forgery] - request.get(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] + request.get(tainted); // $ Alert[js/request-forgery] var options = {}; options.url = tainted; // $ Sink[js/request-forgery] request(options); // $ Alert[js/request-forgery] - request("http://" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] + request("http://" + tainted); // $ Alert[js/request-forgery] - request("http://example.com" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] + request("http://example.com" + tainted); // $ Alert[js/request-forgery] - request("http://example.com/" + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] + request("http://example.com/" + tainted); // $ Alert[js/request-forgery] request("http://example.com/?" + tainted); - http.get(relativeUrl, {host: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery] + http.get(relativeUrl, {host: tainted}); // $ Alert[js/request-forgery] - XhrIo.send(new Uri(tainted)); // $ Alert[js/request-forgery] Sink[js/request-forgery] - new XhrIo().send(new Uri(tainted)); // $ Alert[js/request-forgery] Sink[js/request-forgery] + XhrIo.send(new Uri(tainted)); // $ Alert[js/request-forgery] + new XhrIo().send(new Uri(tainted)); // $ Alert[js/request-forgery] let base = require('./config').base; - request(`http://example.com/${base}/${tainted}`); // $ Alert[js/request-forgery] Sink[js/request-forgery] + request(`http://example.com/${base}/${tainted}`); // $ Alert[js/request-forgery] - request(`http://example.com/${base}/v1/${tainted}`); // $ Alert[js/request-forgery] Sink[js/request-forgery] + request(`http://example.com/${base}/v1/${tainted}`); // $ Alert[js/request-forgery] - request('http://example.com/' + base + '/' + tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] + request('http://example.com/' + base + '/' + tainted); // $ Alert[js/request-forgery] request('http://example.com/' + base + ('/' + tainted)); // $ MISSING: Alert @@ -58,14 +58,14 @@ var server = http.createServer(async function(req, res) { var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery] var client = await CDP(options); - client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery] + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] CDP(options).catch((ignored) => {}).then((client) => { - client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery] + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] }) CDP(options, (client) => { - client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] Sink[js/request-forgery] + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] }); }) @@ -73,7 +73,7 @@ import {JSDOM} from "jsdom"; var server = http.createServer(async function(req, res) { var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery] - JSDOM.fromURL(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] + JSDOM.fromURL(tainted); // $ Alert[js/request-forgery] }); var route = require('koa-route'); @@ -81,15 +81,15 @@ var Koa = require('koa'); var app = new Koa(); app.use(route.get('/pets', (context, param1, param2, param3) => { // $ Source[js/request-forgery] - JSDOM.fromURL(param1); // $ Alert[js/request-forgery] Sink[js/request-forgery] + JSDOM.fromURL(param1); // $ Alert[js/request-forgery] })); const router = require('koa-router')(); const app = new Koa(); router.get('/', async (ctx, next) => { - JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] Sink[js/request-forgery] + JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] }).post('/', async (ctx, next) => { - JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] Sink[js/request-forgery] + JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] }); app.use(router.routes()); @@ -97,7 +97,7 @@ import {JSDOM} from "jsdom"; var server = http.createServer(async function(req, res) { var tainted = url.parse(req.url, true).query.url; // $ Source[js/request-forgery] - new WebSocket(tainted); // $ Alert[js/request-forgery] Sink[js/request-forgery] + new WebSocket(tainted); // $ Alert[js/request-forgery] }); @@ -106,7 +106,7 @@ import * as ws from 'ws'; new ws.Server({ port: 8080 }).on('connection', function(socket, request) { socket.on('message', function(message) { const url = request.url; // $ Source[js/request-forgery] - const socket = new ws(url); // $ Alert[js/request-forgery] Sink[js/request-forgery] + const socket = new ws(url); // $ Alert[js/request-forgery] }); }); @@ -114,7 +114,7 @@ new ws.Server({ port: 8080 }).on('connection', function (socket, request) { socket.on('message', function (message) { const url = new URL(request.url, base); // $ Source[js/request-forgery] const target = new URL(url.pathname, base); - const socket = new ws(url); // $ Alert[js/request-forgery] Sink[js/request-forgery] + const socket = new ws(url); // $ Alert[js/request-forgery] }); }); @@ -128,8 +128,8 @@ var server2 = http.createServer(function(req, res) { }) // $ Alert[js/request-forgery] var myUrl = `${something}/bla/${tainted}`; - axios.get(myUrl); // $ Alert[js/request-forgery] Sink[js/request-forgery] + axios.get(myUrl); // $ Alert[js/request-forgery] var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; axios.get(myEncodedUrl); -}) \ No newline at end of file +}) diff --git a/shared/util/codeql/util/test/InlineExpectationsTest.qll b/shared/util/codeql/util/test/InlineExpectationsTest.qll index 5fe8932808c9..56ac6ea32279 100644 --- a/shared/util/codeql/util/test/InlineExpectationsTest.qll +++ b/shared/util/codeql/util/test/InlineExpectationsTest.qll @@ -774,8 +774,10 @@ module TestPostProcessing { */ private string getSinkTag(int row) { getQueryKind() = "path-problem" and - exists(string loc | queryResults(mainResultSet(), row, 4, loc) | - if queryResults(mainResultSet(), row, 0, loc) then result = "Alert" else result = "Sink" + exists(TestLocation sinkLoc, TestLocation selectLoc | + mainQueryResult(row, 0, selectLoc) and + mainQueryResult(row, 4, sinkLoc) and + if sameLineInfo(selectLoc, sinkLoc) then result = "Alert" else result = "Sink" ) }